Data protection in SAP Business One

Since 25 May 2018, the General Data Protection Regulation, short GDPRGDPR is in force in all countries of the European Union and the European Economic Area and must be observed by all companies. Although the GDPR, as an EU regulation, is directly applicable in every EU member state, it contains numerous opening clauses that give national legislators certain room for manoeuvre. The General Data Protection Regulation therefore offers individuals control and protection of their personal data. Personal data is any data that identifies an individual natural person or can be used to identify an individual.

In general, no personal data may be stored without purpose and explicit consent. Overall, it can be said that the requirements for legally compliant processing and handling of personal data are increasing in the following areas:

• Provision of reports or functions with which persons can be informed about their stored personal data.
• Deletion of personal data, so-called "right to be forgotten"
• Recording of changes to personal data
• Recording of read access to sensitive personal data

Activation of the GDPR tools in SAP Business One

To be able to use the data protection functions provided by SAP Business One, you must have general authorisation to use the data protection tools on the one hand and activate the management of personal data protection on the other. However, the GDPR is already activated for all EU countries in the SAP Business One standard version. Deactivation, on the other hand, is only possible before a natural person has been identified or personal data has been deleted or blocked.
After activating the protection of personal data, the following functions are available:

• Personal data management
• Assistant for the management of personal data
• Access log for sensitive personal data

Definition of personal data

After the activation of the GDPR module has been completed, one can turn to the detailed definition of the data that are considered personal.

The management of personal data with the SAP Business One data protection tools starts with data categorisation. Data that is categorised as personal or sensitive is included in other processes for personal data. Different types of data must be properly categorised so that the functions for protecting personal data can be used effectively. However, not all data can be classified as personal data.

Personal or sensitive data

Only data that is displayed in the Personal Data Management window can be classified as such. Data can be categorised in SAP Business One as personal, non-personal or, in special cases, as sensitive personal data. Examples of fields that can belong to sensitive personal data are bank accounts, passport numbers and user-defined fields (UDF) if they are linked to personal data objects.

SAP Business One automatically encrypts fields that are classified as sensitive, personal data and access is restricted and logged via authorisations. Changing the classification from sensitive to personal or non-personal data cancels the encryption and access restrictions.

Assistant for the management of personal data

The personal data management wizard in SAP Business One offers six different options for managing personal data as the next step

• Identify natural persons
• Undo the identification of natural persons
• Personal data report
• Personal data cleansing
• Blocking personal data
• Unblocking personal data

However, not all personal data can be managed by the data protection wizard in SAP Business One. Instead, personal data must be managed and removed manually for the following objects, for example:

• Time sheets whose type is set to Other
• Target groups included in campaigns
• Remarks in the business partner master data
• Content in Activities

Natural persons in SAP Business One

Natural persons can be determined and identified in terms of data protection in SAP Business One using the wizard. You can use a wizard function to determine which data is to be classified as a natural person and which is not. Data that can be used to identify a natural person is described as personal. Once you have determined the "natural persons", you can manage the corresponding personal data and perform other functions of the wizard. However, you can undo the identification or classification of a natural person using the "Undo natural person identification" option.

Personal data report

The personal data report provides a retrieval function that can be used to inform data subjects about the personal data stored about them. As a rule, natural persons have the right to request a report on all stored information about themselves. To generate a report on personal data, the programme saves it in a temporary folder on your computer. Once generation is complete, SAP Business One automatically deletes the report, including the corresponding notification.

Personal data cleansing

According to various country-specific regulations, personal data may only be stored for specific purposes or processes. As soon as the purpose no longer applies or the process has been completed, the personal data should also be deleted. Natural persons can also request the deletion of their personal data. The wizard can be used to purge personal data or delete it from SAP Business One.

Blocking personal data

If you are obliged to retain personal data in accordance with a retention period, you can block access to the data. After blocking personal data, the data remains in the system, but can only be accessed by unblocking it. By blocking the personal data of selected natural persons, SAP Business One encrypts the database entries. The application also anonymises the corresponding data on the user interface. Personal data can only be unblocked again via a wizard. By unlocking the personal data, SAP Business One decrypts the database entries and makes the data available again on the user interface.

Data protection protocols in SAP Business One

The access log for sensitive personal data provides an overview of who has accessed sensitive personal data in SAP Business One. The access log shows access to personal data in detail. Access to sensitive data via DI API or the payment wizard records the access log. When using sensitive data in the course of a query or when exporting a table, the sensitive data is encrypted and therefore no access is logged.